Measuring the Effectiveness of Application Security Policies

It's easy for software vendors to insist that their products are safe, simply by pointing to the small numbers of vulnerabilities detected. But, as David Chisnall notes, statistics lie: Just because a package has few REPORTED vulnerabilities, that doesn't mean that it actually HAS few vulnerabilities, or address the severity of the holes that are reported. In this article Chisnall argues the true measure of security is what happens once a vulnerability is found.

Like this article? We recommend

Choosing the Right Measure

There have been a lot of reports in the news recently about the relative
security of different platforms. For the most part, the press uses completely
uninformative measures, such as the number of vulnerabilities found in a given
time period—a measure orthogonal to the number of remaining
vulnerabilities. If 10 vulnerabilities are found in one program and 20 in
another, this doesn’t tell you anything about the number of
vulnerabilities remaining.

The important question is not how many vulnerabilities are found, but what
happens when one is discovered. It has been said that security is a process, not
a state, but it’s also an attitude.